On 10.03.2020 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 2890213 addresses "[CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)" to prevent missing authentication check with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationThis note has been re-released with updated ‘Support Packages & Patches’ information. For the release SOLMANDIAG 720, we added SP011 and the Patch level 000004. - SAP Solution Manager User-Experience Monitoring does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. The risk rises since a public exploit exists!
SAP Solution Manager User-Experience Monitoring now properly checks the authentication. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Manual activation of EemAdmin authentication as described in the note is a partial fix. ".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 8.6 [CVE-2020-6235] Missing authentication check in SAP Solution Manager (Diagnostics Agent )
- 8.5 [CVE-2020-6294] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
- 8.3 [CVE-2020-6298] Missing Authorization check in SAP Banking Services (Generic Market Data)